EITest Campaign Evolution: From Angler EK to Neutrino and Rig

EITest is a long-running campaign that uses exploit kits (EKs) to distribute a variety of malware. This campaign was first identified in October 2014, and we reviewed how the EITest campaign evolved in a March 2016 blog post. In this blog post, I’ll give an update of how the EITest campaign has evolved since March including the changes in patterns and the chain of events that lead to a successful infection.

Change of patterns for injected script

Since October 2014, patterns for EITest injected script in compromised websites have remained remarkably consistent. Only the URLs and variable names changed. However, earlier this month EITest began using hex-obfuscated javascript to hide its injected code. Figure 2 shows the EITest script before the change.

Figure 2: An example of injected EITest script from Thursday, September 8, 2016.

By Monday, September 12, the EITest campaign hid its injected code with hex-obfuscated javascript. Figure 3 shows an example of EITest script after the change. The hex-obfuscation is highlighted in yellow.

Figure 3: An example of injected EITest script from Tuesday, September 13, 2016.

The highlighted portion in Figure 3 is easy to convert using any available online URL decoder. Figure 4 shows decoded script similar to the unhidden script in Figure 2.

Figure 4: Decoded EITest script from the September 13 example.

By Friday, September 16, the EITest campaign replaced the percent symbol in its hex-obfuscated javascript with a hyphen. Figure 5 shows a current example of EITest script.

Figure 5: An example of injected EITest script from Friday, September 16, 2016.

Gate URL pattern change

Gate URL patterns for the EITest campaign have been fairly distinctive during the past few months. However, since Wednesday, September 14, long URL patterns used for the gate URLs have been replaced by much more simplified HTTP requests.

Chain of events for a successful infection

As noted in our previous blog post, the EITest campaign continues to use a Flash file for redirection. The following sequence of events is usually noted in an Rig EK infection caused by the EITest campaign:

Conclusion

Now entering its third year, the EITest campaign continues to evolve. After Angler EK disappeared in June 2016, EITest switched to Neutrino EK and is now primarily using Rig EK. This campaign continues to distribute a variety of malware and shows no signs of stopping any time soon.

Domains, IP addresses, and other indicators associated with this campaign are constantly changing. Palo Alto Networks customers are protected from the EITest campaign through our next-generation security platform, including Traps, our advanced endpoint solution which prevent EKs from compromising a system. We continue to investigate this activity to inform the community and further enhance our threat prevention.

Indicators of Compromise

The EITest gate uses an ever-changing variety of domain names. However, the IP addresses remain consistent over the course of several days or weeks. Below are some of the IP addresses used for the EITest gate URLs we have found so far in 2016. Each IP address is preceded by the date it was first seen. Some of IP addresses have occasionally reappeared well after their first seen date.

2015-12-29: 85.93.0.32

2016-02-03: 104.129.198.32

2016-02-24: 85.93.0.33

2016-03-16: 85.93.0.34

2016-04-01: 85.93.0.68

2016-05-18: 85.93.0.81

2016-06-06: 85.93.0.72

2016-06-11: 85.93.0.43

2016-07-18: 85.93.0.12

2016-08-17: 85.93.0.13

2016-08-25: 85.93.0.110

2016-08-30: 194.165.16.202

2016-09-01: 194.165.16.203

2016-09-02: 194.165.16.204

2016-09-08: 31.184.193.168

2016-09-14: 31.184.192.188

2016-09-19: 31.184.193.187

1 Reader Comment

Baber Pervez7:42 pm on October 6, 2016

Excellent and very resourceful writeup! You’ve answered several questions for me here.